Debian Patches
Status for mediawiki/1:1.39.17-1+deb12u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-Have-Scribunto-use-packaged-lua5.1-rather-than-bundl.patch | Have Scribunto use packaged lua5.1 rather than bundled | Kunal Mehta <legoktm@debian.org> | not-needed | 2020-07-31 | ||
| 0002-Have-SyntaxHighlight-use-packaged-pygmentize-rather-.patch | Have SyntaxHighlight use packaged pygmentize, rather than bundled | Kunal Mehta <legoktm@debian.org> | not-needed | 2022-09-25 | ||
| 0003-CVE-2026-34092.patch | SECURITY: Ignore autoblocks when setting Skin's toolbox links CVE-2026-34092 Why: An autoblock from a user can expose its existence by being found on a page with the IP as the relevant user What: - Only consider a target blocked if the block is not an autoblock |
STran <stran@wikimedia.org> | no | upstream | 2025-12-18 | |
| 0004-CVE-2026-34088.patch | SECURITY: Remove suppressed content from log page CVE-2026-34088 When certain MediaWiki log data is hidden/suppressed, it can be exposed via Special:RecentChanges's html, via the data-target-page attribute. This change updates data-target-attribute to show the rev-deleted-event message if the user does not have permissions to view the log data. |
Maryum Styles <mstyles@wikimedia.org> | no | upstream | 2026-01-20 | |
| 0005-CVE-2026-34093.patch | SECURITY: Restrict access to interwiki user groups on S:UserRights CVE-2026-34093 Why: * Special:UserRights could be used to enumerate users on private wikis, even if performer has no special permissions. What: * If performer has no `userrights-interwiki` permission, redirect them to the remote wiki for viewing permissions there. |
Marcin Szwarc <mszwarc@wikimedia.org> | no | upstream | 2026-01-14 | |
| 0006-CVE-2026-34095.patch | SECURITY: Actions: Make headers set after redirect actually apply CVE-2026-34095 If a special page redirect is done, the Request object in the context is set to a DerivativeRequest, which extends from FauxRequest and thus returns a FauxResponse from WebRequest::response(). This patch updates the actions entry point to copy any headers set in that FauxResponse object to be applied to the real response object, to make sure that e.g. the correct Content-Type is set for redirected action=raw requests. |
Taavi Väänänen <taavi@wikimedia.org> | no | upstream | 2026-03-06 | |
| 0007-CVE-2026-34087.patch | SECURITY: Don't leak user's lack of 2FA to other users CVE-2026-34087 There are some ways that the onUserEffectiveGroups hook can be called fro a user who is not the currently logged-in user, for example through the action=query&list=users API. If a user is in a restricted group that requires 2FA, but doesn't have 2FA enabled, this fact is leaked through this API and other channels. To fix this infromation leak, don't modify the user's effective groups unless the user in question is the user who is logged in. This means that a user who is a member of a 2FA-requiring group but doesn't have 2FA won't be treated as a member of that group when they are logged in (and won't be able to take actions restricted to that group), but if another user asks, we will pretend that the user is in that group. In particular, this means that users who are in a 2FA-requiring group but don't have 2FA will still get the group JS and CSS for that group, because load.php is a session-less endpoint. |
Roan Kattouw <roan.kattouw@gmail.com> | no | upstream | 2026-01-22 |
All known versions for source package 'mediawiki'
- 1:1.43.8+dfsg-2 (sid, forky)
- 1:1.43.8+dfsg-1~deb13u1 (trixie-security, trixie-proposed-updates)
- 1:1.43.6+dfsg-1~deb13u1 (trixie)
- 1:1.39.17-1+deb12u2 (bookworm-security, bookworm-proposed-updates)
- 1:1.39.17-1~deb12u1 (bookworm)